18 Android Models Under Attack
Google issued a warning about an Android zero-day flaw that is being actively attacked. The flaw gives a hacker full control over 18 phone models including the Pixel handset and devices made by Samsung, Huawei and Xiaomi. Google's Project Zero warned that it suspected the vulnerability was being exploited by the controversial Israeli-based NSO Group Technologies or one of its customers. The NSO Group has been criticized for selling zero-day exploits to authorized governments. The NSO Group denied having anything to do with the exploit, including selling it.
The vulnerability can be exploited in several ways. One way is when a victim is enticed to download a rogue app. The second way includes chaining the bug with an additional vulnerability in the code that Chrome browser uses to render content. According to Maddie Stone, the Project Zero member who found the flaw, it is a kernel privilege escalation bug using a use-after free vulnerability, accessible from inside the Chrome sandbox.
According to Google Project Zero, the use-after-free bug was patched in 2018 for versions 3.18, 4.4, and 4.9 of the Android kernel. Unfortunately, the fix did not make it to Google's monthly Android security updates. A list of vulnerable devices includes Pixel 1, Pixel 1 XL, Pixel 2, Pixel 2 XL, Huawei P20, Xiaomi Redmi 5A, Xiaomi Redmi Note, Xiaomi A1, Oppo A3, Moto Z3, LG Oreo phones, Samsung S7, Samsung S8 and Samsung S9. A patch for the vulnerability has been released as part of Google’s October Android security update.